Security News > 2024 > August > Small CSS tweaks can help nasty emails slip through Outlook's anti-phishing net

Researchers say cybercriminals can have fun bypassing one of Microsoft's anti-phishing measures in Outlook with some simple CSS tweaks.

William Moody, IT security consultant at Certitude, blogged today about how First Contact Safety Tip - a banner displayed in Outlook when a user receives a message from an address that typically doesn't contact them - can be hidden using CSS style tags.

Because the First Contact Safety Tip is added to the HTML code of an email before the message content, all a phisher would have to do is craft an email solely in HTML, changing the banner's background and font both to white, and voila, the banner still exists but is no longer visible.

Moody said: "Although applying some more common CSS rules such as display: none, height: 0px, and opacity: 0 to the table itself doesn't seem to work, either due to the inline CSS in the elements or due to lack of support by the rendering engine Outlook uses, it is possible to change the background and font colors to white so that the alert is effectively invisible when rendered to the end user viewing the email."

The only drawback to this one is that the email preview displayed in the left-side pane in Outlook will still display the First Contact Safety Tip message in small, grey text under the email body preview.

As an added layer of perceived legitimacy to a potential phishing email, the same method can be applied to add a seemingly legitimate note to show the message was encrypted or signed.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/08/07/small_css_tweaks_can_help/